Inside Role Separation on Windows

Informix Dynamic Server Role Separation can be important for data server installations where clearly defined security roles exist. This post describes how to disable Role Separation on Windows if you decide you don't need it after all, and how to partly enable it - maybe you no longer wish to maintain separate users and groups for specific DBA tasks, or maybe you don't want to add valid users to the ix_users group before they can connect to the database..

You cannot turn off role separation once you have enabled it. To remove role separation,you must uninstall the database server and reinstall it without role separation.

This is for a good reason - to disable role separation without reinstalling involves editing the registry, and if that goes wrong it is back to reinstalling. It is better to follow the policy that if a task requires direct edits to the registry it is not supported.

With suitable disclaimers in place here's how Role Separation can be disabled on Windows without reinstalling IDS. The required edits are presented in the form of a regini script. In order to use you would need to modify it to set "ol_myserver" to your INFORMIXSERVER value. If anyone knows how to specify an environment variable as a registry key in a regini script please let me know..

; Important:; Read the comments and warnings in this script - ; 1. Understand what it does before attempting to use it; 2. Backup your HKEY_LOCAL_MACHINE\Software\Informix registry key before use

; First switch off Role Separation in the DBMS key so uninstall doesn't look for it:;; Warning - If you have multiple instances installed change "Setup" and "Security" below; to the value corresponding to your instance, e.g. "Setup1", ""Security1" etc;; Warning - If your IDS version is not 10.00 edit the version in these keys:;HKEY_LOCAL_MACHINE\Software\Informix\DBMS\10.00\Setup Role Separation = REG_DWORD 0x00000000 AAO User = DELETE DBSSO User = DELETEHKEY_LOCAL_MACHINE\Software\Informix\DBMS\10.00\Security\IXAAO Group Name = REG_SZ Informix-AdminHKEY_LOCAL_MACHINE\Software\Informix\DBMS\10.00\Security\IXDBSSO Group Name = REG_SZ Informix-AdminHKEY_LOCAL_MACHINE\Software\Informix\DBMS\10.00\Security\IXUSERS Group Name = REG_SZ *

; Next set the Security groups to their default non-separated values;; Important - change "ol_myserver" to the value of your INFORMIXSERVER;; Warning - If your default IXDBSA group is not called Informix-Admin; edit the following lines:HKEY_LOCAL_MACHINE\Software\Informix\Online\ol_myserver\Security\IXAAO Group Name = REG_SZ Informix-AdminHKEY_LOCAL_MACHINE\Software\Informix\Online\ol_myserver\Security\IXDBSSO Group Name = REG_SZ Informix-AdminHKEY_LOCAL_MACHINE\Software\Informix\Online\ol_myserver\Security\IXUSERS Group Name = REG_SZ *

Once a customized version of this script is run, check the changes were made correctly, and then manually delete the ix_aao and ix_dbsso Security groups that were created at install time. When IDS restarts it should be back to its default un-role separated state.

What this registry structure implies is the possibility of having a partial role separation implementation. For example, suppose you don't want separate DBA roles, but do want to improve security by only allowing members of an ix_users group to access the data server. You could implement this by creating an operating system group for your users, and then setting the